On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
Jeremy Schneider <schnjere@xxxxxxxxxx> writes:
> I'm all for having clear documentation about the security model in
> PostgreSQL, but I personally wouldn't be in favor of adding extra
> wording to the docs just to pacify concerns about a CVE which may have
> been erroneously granted by an assigning authority, who possibly should
> have done better due diligence reviewing the content. Particularly if
> there's any possibility that the decision to assign the number can be
> appealed/changed, though admittedly I know very little about the CVE
> process.
Just FYI, we have filed a dispute with Mitre about the CVE, and also
reached out to trustwave to try to find out why they filed the CVE
despite the earlier private discussion.
The original author has also pretty much acknowledged in comments on his blog and on twitter that it's not actually a vulnerability. (He doesn't agree with the design decision, which is apparently enough for a high scoring CVE registration).
